A statue outside the Federal Trade Commission's headquarters in Washington, DC.
Have you been told that your Android phone is defective and dangerous? If not, the American Civil Liberties Union says you’ve been deceived. Worse, the ACLU says you’ve been exposed to cyber threats by the wireless carriers you pay every month.
Today, the ACLU filed a complaint with the Federal Trade Commission against Sprint, T-Mobile, Verizon, and AT&T, naming two major problems with the phones they sell and control. First, that by delaying or denying software updates for Google’s Android mobile operating system, the ACLU says carriers have left consumers open to malware, bugs, and exploits. "Android smartphones that do not receive regular, prompt security updates are defective and unreasonably dangerous," the ACLU writes in its complaint, noting that these security holes can lead to interception of private data, spear-phishing campaigns, stalking, and fraud. "The delivery of software updates to consumers is not just an industry best practice, but is in fact a basic requirement for companies selling computing devices that they know will be used to store sensitive information."
"They don't want the responsibility."
Secondly, the ACLU alleges that carriers have deceived customers by not informing them about the security risks present in their own custom-made versions of Android. The ACLU’s goal is to prompt an FTC investigation that would ultimately force the major carriers to warn consumers that their carrier-controlled Android devices pose security risks, and allow consumers to exchange or return their phones. In its complaint, the ACLU writes that carriers "have failed to warn consumers that the smartphones sold to them are defective, that they are running vulnerable software, and that other smartphones are available that receive regular, prompt updates to which consumers could switch."
"Fundamentally, the carriers want the ability to control the software that runs on the handsets," ACLU Principal Technologist and Senior Policy Analyst Chris Soghoian told The Verge in an interview. "But they don’t want the responsibility that goes along with that."
So why is the ACLU — a civil liberties advocacy group — going after mobile carriers for screwing consumers out of Android updates? The answer, oddly enough, has to do with the new vogue of national defense in Washington: cybersecurity. Some of the recent federal measures introduced to deal with so-called "cyber threats," like the Cyber Intelligence Sharing and Protection Act (CISPA), which allows broad information sharing between private companies and the government, have been criticized by opponents for encroaching on privacy rights. And privacy sits squarely in the ACLU’s domain.
"Cybersecurity is becoming a trump card."
The ACLU’s action is timed purposefully to coincide with "cybersecurity week" in Washington, as lawmakers debate how to best to equip the military and law enforcement organizations with more power on the internet. "It seems pretty clear that cybersecurity is being used as a vehicle to push things that don’t really have much to do with it," Soghoian says. "Cybersecurity is becoming a trump card through which the government can get other things it wants. We realized that if we were going to push back against things like CISPA, we needed to identify other cybersecurity problems that could be deal with without violating our civil liberties." But despite the larger agenda, the ACLU’s complaint is rigorous enough to stand alone.
The 17-page complaint broadly covers research, including recent statements made by federal officials and lawmakers, about the consequences of lackadaisical software maintenance on privacy and cybersecurity. But the major issue identified by the ACLU isn’t new, and has chapped mobile junkies for years: carrier-instigated Android fragmentation. The crux of the problem is that wireless operators control software updates for their Android devices from the point of sale to end-of-life, allowing carriers to send updates on their schedule instead of Google’s. For many Android devices, carriers and hardware partners modify Google’s operating system with custom user interfaces and other features, preventing users from receiving updates directly from Google as soon as they are available.
Commitments from carriers and handset manufacturers to release Android updates in reasonable timeframes have gone unfulfilled, some permanently so. To get a sense of scale, consider that Android 2.3, released in 2011, still runs on about 44 percent of Android devices. That same year, there was a glimmer of hope that things would change; several Android phone manufacturers and US wireless carriers promised to provide timely updates for at least 18 months after a phone’s launch as part of an "Google Update Alliance." (But even this arrangement wasn’t perfect, since most cell contracts for subsidized devices run for two years in the US — potentially leaving customers without updates for a quarter of the life of their contract.) Nearly every carrier and handset manufacturer followed the Google Update Alliance commitment with delays, misdirection, or outright backtracking. But has this made Android users less secure?
Be safe out there: f-secure.com/static/doc/lab…— Philip Schiller (@pschiller) March 7, 2013
It’s debatable how afraid Android users should feel of a malware infection, especially when private mobile security firms release new harrowing stats every month or so. In 2012, Juniper Networks reported that Android malware had risen 3,325 percent in seven months, and similar firms regularly sound the malware alarm. Last September, Duo Security claimed that more than half of Android devices are vulnerable. "As carriers are very conservative in rolling out patches to fix vulnerabilities in the Android platform, users’ mobile devices often remain vulnerable for months and even years," Duo wrote.
Most of these threats, however, come from third-party app stores that Android users in the US are less likely to come across.
Last September, as part of an Android security investigation, SecurityWeek managing editor Mike Lennon told The Verge that "for those downloading from the Google Play Store, they’re much, much less likely to have problems than, say, users in China who are using alternative markets." And Mikko Hypponen of F-Secure said that while average Android users don’t need to worry about malware, they "still have some real-world problems compared to iPhone or Windows Phone users, who currently have no malware problems at all." But despite the rough consensus that Android has a malware problem — or, at least, a bigger malware problem than its competitors — the carriers have been mostly quiet about the risks.
"It's really not that different from a company that sells you a toaster they know will explode."
That leads to the ACLU’s second major complaint: that wireless carriers simply haven’t told customers about the risks involved in using their tightly-controlled Android devices. "At a very basic level, this issue is about companies not telling consumers about defective products," the ACLU’s Soghoian said. "It’s really not that different from a company that sells you a toaster they know will explode." Of course, carriers aren’t totally quiet about Android security issues — especially when there’s money to be made. Both Sprint and Verizon have partnered with McAfee to provide Android security apps that add costs to consumers. In a press release announcing its new mobile security app last year, Verizon admitted that "many [consumers] do not realize that smartphones are susceptible to some of the same security and privacy threats that plague laptops and desktops." Verizon hoped this would help customers realize they needed to pay an extra $1.99 a month to protect themselves.
"The cellphones are defective products, and the phone companies know they’re defective, Soghoian says. "Google has fixed the flaws and told their partners, and the partners are not pushing the updates out to consumers." So how can the problem be fixed?
Critically, the ACLU is not asking the government to force US carriers to provide updates to consumers. Instead, the group wants the FTC to compel mobile operators to warn subscribers with carrier-controlled Android phones that have "known, unpatched security vulnerabilities." For those carrier-supplied phones that don’t receive regular updates, the ACLU is asking the FTC to force wireless carriers to allow subscribers to end their contracts early without an early termination fee. The complaint also asks the FTC to compel wireless carriers to allow those subscribers with a carrier-supplied Android phone less than two years old to exchange their phone at no cost "for another phone that will receive prompt, regular updates directly from Apple, Google, Microsoft or another mobile operating system vendor," or to receive a full refund.
The ACLU believes the market will self-correct if carriers are forced to tell consumers that their versions of Android are less secure than Google’s, or even competing platforms like iOS or Windows Phone. "When you walk into the Verizon store or the AT&T store, and you’re picking your phone, right now you pick the phone which is the cheapest, or the fastest, or the one with the best battery," Soghoian says. "If consumers at the time of purchase realize that one phone will get updates and the other will never get updates, that might be a factor in their choice. But the market won’t function if consumers don’t have enough information."
"The market won't function if consumers don't have enough information."
We requested comment from all four major US carriers about the ACLU’s action, but none of the wireless operators were able or willing to address the core of the complaint. In an email to The Verge, Sprint spokesperson John Taylor wrote that the company "follows industry-standard best practices designed to protect its customers." Verizon Wireless returned a similar response, reiterating its current practices.
Verizon Wireless is focused on ensuring our customers have good experience with their smartphones and tablets. We are known for our rigorous testing protocols which lead the wireless industry, and we thoroughly test every update before delivering it to customers. We work closely with our OEM partners and provide mandatory updates to devices as quickly as possible, giving attention and priority to ensuring a good and secure customer experience. We will review the complaint when it is filed with the FTC.
When briefed on Sprint and Verizon’s comments, Soghoian suggested they miss the point. "The problem is not that carriers are better than competitors, it’s that the entire industry has let consumers down when it comes to Android," Soghoian said. "It’s not about being better or worse. The carriers are all bad, which is why we filed a complaint against all of them."
T-Mobile did not respond for a request for comment by the time this story was published, and AT&T declined to comment on the ACLU’s complaint.
Google did not respond to The Verge's request for comment by the time of publication.
Soghoian is confident that the carrier control issue is ideal for the FTC to investigate. "There’s a privacy regulator in the United States and it’s the FTC," Soghoian said. "The agency knows what it’s doing." Of course, an FTC investigation may not result in action for years, and the FTC won’t tip its hand during any efforts around the ACLU’s complaint. "They are like a black hole, that’s just how they do business," Soghoian says, who worked for a year at the FTC as its first technologist. "You can complain to them and then not hear from them for two years." Still, Soghoian is optimistic that the FTC will lead the way in forcing carriers to admit to the flaws in their use of Android, and that sensible changes could prevent the need for drastic cybersecurity legislation in Congress.
"The carriers really don’t have a good reason for why they haven’t told consumers," Soghoian says. "The reason they can get away with this is because people don’t know. The carriers are in a really indefensible position."